The Heartbleed Bug

[anirbandd]

no one is going to target small indian sites(compared to their international counterparts).as for black hat/white hat argument there is not much difference between them.many times black hats work as white hats & white hats work as black hats.do not be under the impression that you can be a good hat(white or black) by following only "legitimate" methods.

you are not talking about banking sites, i hope?

indian banks have a lot of "potential".. after all, [almost] all of our politicians are scamsters.

 

[snap]

i bet TDF forum was NOT affected.

TDF does get ddosed sometimes

 

[whitestar_999]

indian banks just like other banks were not affected by heartbleed bug as they don't use openSSL.as for "potential" again no indian scamster worth his salt would put his ill gotten money in an indian bank(& those who do are amateurs who got caught & whose names you see in papers).

 

[anirbandd]

indian banks just like other banks were not affected by heartbleed bug as they don't use openSSL.

thats a relief. :whew:

as for "potential" again no indian scamster worth his salt would put his ill gotten money in an indian bank(& those who do are amateurs who got caught & whose names you see in papers).

true.

 

[flyingcow]

saw this today
*imgs.xkcd.com/comics/heartbleed_explanation.png
but couldnt people do that already? ssl injection or something like that i think?

 

[whitestar_999]

if they could it wouldn't be such a big deal.

 

[anirbandd]

NSA could, according to reports.

this is what happens when a group of underfunded enthusiastic individuals work for the good of the web.

 

[whitestar_999]

NSA could because there was this vulnerability.another way is to directly tap servers in which pretty much any security measure is useless but it is also much more difficult to hide.as for this vulnerability read some discussions over web in which many good programmers have blamed the lack of sincere efforts & participation in the development of openSSL which proves the point that any open sources software is only as good as the people participating in its development.that is why banks & major financial institutions don't use it.there is a reason why they say you get what you pay for.

 

[flyingcow]

if they could it wouldn't be such a big deal.

no sh!t

 

[snap]

anyone tried this? *chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic?hl=en

 

[tkin]

NSA could because there was this vulnerability.another way is to directly tap servers in which pretty much any security measure is useless but it is also much more difficult to hide.as for this vulnerability read some discussions over web in which many good programmers have blamed the lack of sincere efforts & participation in the development of openSSL which proves the point that any open sources software is only as good as the people participating in its development.that is why banks & major financial institutions don't use it.there is a reason why they say you get what you pay for.

IMHO commercial institutions tend to stay away from use open source:

1. The code, atleast the root code is open, anyone and everyone can see it, if a bug exists it will be exposed to whitebox testing, which is very dangerous, its much more difficult to find bugs via blackbox testing.
2. If they pay for the code then there is someone to blame, if they suffer financial losses due to a bug then they can charge the vendor, there is usually a warranty period.

Then again there are exceptions, my previous project was for State Farm insurance, they use a host of open source software, like PostGreSQL, Spring framework etc. You won't see that in India though.